In this article, we look at the 2021 cyberattack on the Health Service Executive (“HSE”), the national healthcare provider for Ireland, and what lessons have been learned from that crisis one year post-incident.
Background
The HSE is the state provider of healthcare in Ireland and is the largest employer, with direct and indirect staff totaling over 130,000 people across 54 acute hospitals with over 4,000 locations. Over 70,000 IT devices (PC’s, laptops, etc.) are deployed. It is deemed an Operator of Essential Services for the purposes of the EU Network and Information Security Directive (“NISD”). The HSE was formed in 2004 as an amalgamation of prior regional health boards and hospital groups.
The Attack
From public reports, we know that on March 16, 2021, a malicious email with a Microsoft excel attachment was sent to an HSE email address. This email – and the attachment – were opened two days later. The malicious code allowed a gateway for the hackers to use “Cobalt Strike” (a penetration testing tool that includes remote functionality) to deploy Conti ransomware throughout the HSE’s systems. It is believed by the post-incident investigating authorities that the bad actors were the Wizard Spider hacking group, based in St. Petersburg, Russia. This cyberattack was the biggest on an Irish state agency in history and is believed to be the largest targeted attack on a health service.
The attack went undetected for approximately eight weeks. There was some detection of malicious activity on March 31 but the HSE antivirus on the “patient zero” computer was set to “monitor” mode so no blocking actions were taken. On May 13, the HSE’s cybersecurity provider flagged that it had detected 16 threat events since May 7 and that the servers should be restarted. Mere hours later on from those incidents being flagged, at 4 a.m. on May 14, 2021, the hackers deployed the ransomware malware, encrypting multiple systems within the HSE IT infrastructure and exfiltrating data. It left a digital ransom demand reportedly at €16.5M plus links to a dark web chat room and sample evidence of its exploits, including patient information and corporate documents. Employee payroll and financial data had also been compromised.
The HSE responded swiftly, taking down its entire IT system to block further exfiltration and allowing time to assess and implement its response strategy.
Immediate Consequences
HSE staff went to work that day to find that normal lines of communication had been severed. Emails and phone systems were shut down, requiring staff to communicate by way of mobile and analog phone systems. Appointments were canceled, including maternity, oncology, and almost all other outpatient scans. HSE staff were required to revert to paper records. The Office of the Data Protection Commissioner was notified on 15th May. Covid vaccination scheduling was disrupted as close contact and GP referral systems were down. The immediate HSE estimates of the remedial costs were put at tens of millions of euros – an estimate which has since been revised to over €100M.
The HSE response included engagement of third-party experts from the US including dark web monitoring for exfiltrated data. An injunction was taken out on May 20 to prevent all publication or sharing of any stolen data. A helpline was established. The Irish Defence Forces CIS (computer information systems) personnel were deployed to hospitals and HSE IT systems locations to conduct “ethical hacking” to resist further attacks. These personnel also assisted with the verification and decryption process when the hackers delivered a decryption key.
On May 28, data on 520 patients and HSE corporate activities were discovered as having been published online.
By June 23, approximately 75% of HSE systems had been decrypted, increasing to 95% by September. In September 2021, the Irish authorities took legal action to seize certain domains used by the hackers and investigations are continuing.
Post-Mortem
PwC was engaged to prepare a post-incident report (“PIR”) which was published on 10th December 2021 and points to a range of contributing factors. Interestingly, it also identified a number of ways in which the attack could have been far more severe. The HSE’s history as an amalgamated organization made it more vulnerable to an attack as its systems had not been fully integrated. The cybersecurity team of the HSE comprised 15 people and was under-resourced and thereby ill-equipped to deal with an attack of this magnitude. Insufficient monitoring and multi-factor authentication (“MFA”) were in place. The IT systems had not been strategically designed and were fragmented and siloed.
Actions, since recommended, include security crisis management planning, proactive response preparation and simulation, penetration testing by ethical hackers and upgrades to operating systems, infrastructure, support structures, and defence capabilities. This was a zero-day attack and therefore unlike the 2017 Wannacry attack which crippled the UK’s National Health Service, there was no immediately available patch to secure the vulnerability. By the time the hack had been detected, the HSE systems were already compromised and encrypted. The Wannacry attack incurred losses and costs globally of approximately US $4 billion. The HSE was impacted by that attack but was able to respond swiftly by deploying the Microsoft Windows patch. In the 2021 attack and unlike the Wannacry attack, there was no auto-propagation of the malware.
Interpol had warned in April 2020 of the pattern of hackers beginning to target healthcare providers. Despite this, at the time of the attack, the National Cyber Crime Centre had a budget of just €5M per annum, employing 25 people with no permanent director for several years.
It is of note that the PwC PIR concludes by unequivocally stating that the HSE remains vulnerable to similar cyberattacks.
Reviewing your cybersecurity and privacy programs and maturity will assist you with identifying potential areas of weakness that could leave your organization vulnerable to an attack. In addition, taking steps now to develop and implement an incident response plan means that you will be better prepared when an attack occurs.
For further information on Clark Hill’s cybersecurity practice and the proactive steps which can be taken by organisations to increase their threat responsiveness and mitigate risk, please speak to Sam Saarsteiner (ssaarsteiner@clarkhill.ie) and Aidan Eames (aeames@clarkhill.ie) in our Dublin office.
Subscribe For The Latest
Subscribe